DOCSLIB.ORG

Payment Card Industry Data Security Program Standard

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Payment Card Industry Data Security Program Standard Montana State University Effective Date: April 5, 2017 Review Date: April 5, 2020 Updated Date: Payment Card Industry (PCI) Data Security Program and Standard Brief Description: To ensure campus compliance with the Payment Card Industry Data Security Standard (PCI-DSS) Introduction: The purpose of this program is to ensure that payment card (credit card) and ecommerce activities are consistent, efficient, and secure to protect the interests of the University and its customers. This standard provides guidance to ensure that campus credit card acceptance and ecommerce processes comply with the Payment Card Industry Data Security Standard (PCI DSS) and are appropriately integrated with the University’s financial and other systems. Scope: This policy applies to Montana State University as well as its self-supporting operations, contractors, consultants, or agents who, in the course of doing business on behalf of the University, accept, process, transmit, store, or otherwise handle cardholder information in physical or electronic form. This policy also applies to all Montana State University organizations that accept process, transmit, store, or otherwise handle cardholder information in physical or electronic form. This policy applies to all types of credit card activity transacted in person, over the phone, via fax, mail, or the internet. System and device functionalities established for credit card data activities of the university may be used only for credit card data activities of the university, not for personal use. PCI Security Standards PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process, or transmit data, are mandatory for their respective stakeholders, and are enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and VISA Inc. • PCI Data Security Standard: The PCI DSS applies to any entity that captures, stores, processes, or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. Any business activity that accepts or processes payment cards must comply with the PCI DSS. • PCI Data Security Standard for Merchants and Processors: The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards. It presents steps that appeal to common sense and mirror best security practices. Operating Principles The following operating principles must be used by departments when accepting credit card information in order to process payments for services, purchases, registration, etc. • All merchant sites and merchant card processors must be authorized and approved by University Business Services. This includes approval of the written agreement with the service provider. A written agreement must be made with each service provider. • Such authorization is required for new credit card acceptance channels / merchant accounts, and any addition or change to an existing channel/account including, but not limited to, the: o use of existing credit card acceptance channels / merchant accounts for new purposes o alteration of business processes that involve payment card processing activities o addition or alteration of payment systems or technologies o addition or alterations of relationships with third-party payment card service providers • All merchant card services offered by the University must be delivered using software, systems, and procedures that are compliant with applicable standards. • When processing credit card transactions, only the minimum amount of information necessary to verify the identity of the cardholder and the legitimacy of the cardholder authorization should be gathered. For example, manual requests to process a customer’s credit or debit card may contain the following elements: o Properly signed/executed authorization from the cardholder (unless processing over the telephone as provided for in NACHA guidance on TEL transactions) o Credit/debit card account number with expiration date o The cardholder’s correct billing address o Authorization codes (Card Identification Number), if the cardholder is not physically present Credit Card Merchant Numbers • All credit card merchant ID numbers must be obtained from University Business Services. Revenue-generating departments are prohibited from obtaining merchant ID numbers directly from the credit card companies or processors. • Departments must use only University Business Services approved third-party providers to ensure PCI compliance. Credit Card Acceptance Channels • Credit card information can be accepted through a Montana State University authorized web application, by telephone, or in person only. • Credit card information cannot be accepted via email (or similar messaging system), fax, voicemail and should never be emailed from the department. • If data must be written down, use the standard credit card authorization form found on the University Business Services website under PCI. Print this form out on bright paper, so that staff will know what it is by color. • Departments are not permitted to capture, transmit, process, or store credit card information on Montana State University computer systems, fax machines, the internet, email (or similar messaging system), or any removable electronic storage device (USB memory stick, hard drive, zip drive, etc.). • When possible, cashiering sites accepting credit card payments should only use Point of Sale terminals or equipment supplied to the location by the campus’ merchant card processor. In all cases, Point of Sale terminals and systems must be configured to prevent retention of the full magnetic strip, card validation code, PIN, or PIN Block cardholder data once a transaction has been authorized. o The three- or four-digit validation code printed on the payment card, referred to as the Card Identification Number (CID), must never be stored in any form. The CID number may also be referred to as the CVC2 or CVV2. o The full contents of any track data from the payment card’s magnetic stripe must never be stored in any form. o The personal identification number (PIN) or encrypted PIN block must never be stored in any form. o If electronic storage is authorized, the primary account number (PAN) must be rendered unreadable anywhere it is stored. o All but the last four digits of any credit card account number must be masked when it is necessary to display credit card data. Credit Card Information Storage • Paper records containing credit card data must be secured at all times, e.g., stored in a locked file cabinet or locked room in a secure storage container, if any, used for materials that are to be destroyed. Access to the storage area(s) must be limited to those who need access to the credit card data records. Credit Card Receipts • Credit card receipts that go to the customer and University Business Services may only show the last four digits of the credit card number. Also, the credit card expiration date should not appear on the receipt. Annual Self-Assessment and Periodic Internal Network Scan • Each department processing payment cards must complete an annual PCI DSS Compliance Internal Assessment Questionnaire. • Departments must work to resolve any exceptions listed in the questionnaire. Departments must also work with the PCI Working Team to resolve any compensating controls. Training • Employees who are expected to be given access to cardholder data shall initially be required to complete PCI DSS Training and then renew that training at least annually. • Employees shall be required to acknowledge at least annually that they have received training, understand cardholder security requirements, and agree to comply with these requirements. Definitions: Cardholder The customer to whom a payment card has been issued or the individual authorized to use the card. Cardholder Data At a minimum, cardholder data consists of the full PAN (primary account number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. Encryption The process of converting information into an unintelligible form to anyone except holders of a specific cryptographic key (Use of encryption protects information that is between the encryption process and the decryption process from unauthorized disclosure.). Merchant or Merchant Department Any University department or other entity that accepts payment cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (American Express, Discover, JCB, MasterCard or VISA) as payment for goods and/or services, or to accept donations. Payment Card Any payment card/device that bears the logo of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or VISA, Inc. Responsibilities: University Business Services University Business Services has been delegated the authority by the University to approve all physical payment locations, websites, third party processors, or any channel accepting credit card payments, and will be responsible for verifying that credit card payments are only accepted at approved locations using approved merchant card processors. Additional University Business Services responsibilities include: • Establishing and
Load more

Recommended publications
  • See Fee Chart
    List of all fees for inPOWER Prepaid Mastercard®. All fees Amount Details Get started Pay-As-You- Plan options Monthly Plan Go Plan New Card Account There is no fee to open a card account. $0.00 $0.00 Monthly usage Monthly Plan: You will be charged $7.95 each month you are enrolled in the Monthly Plan. The fee descriptor that will be shown on transaction history statements is: Monthly Maintenance Fee Monthly Plan: To qualify for a $2.00 credit each month, you must receive a qualifying direct deposit of paychecks and/or government benefits totaling at least $100.00 in one (1) calendar month. If you are currently enrolled in the Monthly Plan, you will automatically be enrolled in the plan to receive the credit, and if you are in the Pay-As-You-Go plan, you can visit a Pay-O-Matic Location to change to your plan. Plan fee $0.00 $7.95 You may switch between the Pay-As-You-Go Plan and the Monthly Fee Plan one time during any ninety (90) day period. Changes made on or before the 19th of the month will take effect on the 24th of each month. Changes made on or after the 20th of the month will not be effective until the following month, on the 24th. The fee descriptor that will be shown on the transaction history statement for the credit is: Monthly Maintenance Fee Credit Per Month. A $5.00 fee will be charged during each month in which there have been no cardholder-initiated, balance-changing transactions for at least ninety (90) calendar days.
    [Show full text]
  • SAFE and SECURE PAYMENTS: the MASTERCARD APPROACH Global Point of View
    SAFE AND SECURE PAYMENTS: THE MASTERCARD APPROACH Global point of view For nearly 50 years MasterCard has been safeguarding the way you pay. We have been innovating solutions driven by data and insights to increase the safety and security of electronic payments. Our safety and security guarantee: we want to give consumers the peace of mind to pay with confidence, and our goal is to build a world beyond cash where every person, every payment and every device is protected. Consumers need a safe and simple experience when making a payment, wherever they are in the world and whether they tap, click or swipe. MasterCard is investing time and money to continuously enhance the technology to detect and prevent fraud so that consumers can be confident that their money is safe. In the rare event that fraud1 does occur, we ensure consumer peace of mind by limiting or eliminating cardholder liability2. EXECUTIVE summary MasterCard is the leading technology company delivering electronic payments and the leader in safety and security • Technology and payment methods are changing every day – payments are becoming faster, smarter and more sophisticated. • Cards remain one of the safest ways to pay, with only 6 cents for every $100 spent on major global cards lost to fraud. MasterCard’s safety and security measures have already reduced this number to 5 cents. • We are investing in innovative payment and security solutions so consumers have a safe, secure and convenient payment experience. Safety and security is our number one priority. MasterCard guarantees safety and security with smart technology to ensure we are always one step ahead of fraudsters 1.
    [Show full text]
  • The Benefits of Electronic Payments in the Canadian Economy a White Paper Prepared by IHS Global Insight and Visa Canada
    The BenefiTs of elecTronic PaymenTs in The canadian economy A White Paper Prepared by IHS Global Insight and Visa Canada tHIrd edItIon editor’s note The Benefits of electronic Payments in the canadian economy, Third edition is a white paper designed to explore the social and economic benefits of electronic payments to the Canadian economy. Commissioned by Visa Canada, a wholly owned subsidiary of Visa Inc., this white paper is based on research conducted by IHS Global Insight, an econometric forecasting agency. For more details on IHS Global Insight’s methodology, please refer to the Methodology Appendix. Third Edition - 2012 Table of contents executive summary 2 electronic Payments in canada 4 Benefits to Consumers and Merchants Usage Trends in Canada The Big Picture 7 The Macroeconomic Value of Electronic Payments in Canada Electronic Payments in a Global Context Working with Governments to Increase Efficiency inbound Travel To canada: The impact of electronic Payments on Travel and Tourism 11 The efficient enterprise: The impact of electronic Payments on canadian Business 14 everything Within reach: The impact of electronic Payments on the digital economy 16 Protecting the system 17 Payment Card Industry Chip Technology conclusion 18 Visa: advancing the future of electronic Payments 19 Ways to Pay The Foundation for Innovation Visa Invests in the Security of the System Visa: a responsible Partner 23 Ensuring Financial Literacy executive summary over the last decade, Canada has benefited from strong • enhancing economic transparency and reducing the economic foundations: our highly-skilled workforce, “grey economy” of underreported cash transactions. modern infrastructure, natural resources, disciplined • Broadening participation and inclusion in financial financial system, and technological innovation have all services.
    [Show full text]
  • Payment Card Industry Policy
    Payment Card Industry Policy POLICY STATEMENT Palmer College of Chiropractic (College) supports the acceptance of credit cards as payment for goods and/or services and is committed to management of its payment card processes in a manner that protects customer information; complies with data security standards required by the payment card industry; and other applicable law(s). As such, the College requires all individuals who handle, process, support or manage payment card transactions received by the College to comply with current Payment Card Industry (PCI) Data Security Standards (DSS), this policy and associated processes. PURPOSE This Payment Card Policy (Policy) establishes and describes the College’s expectations regarding the protection of customer cardholder data in order to protect the College from a cardholder breach in accordance with PCI (Payment Card Industry) DSS (Data Security Standards). SCOPE This Policy applies to the entire College community, which is defined as including the Davenport campus (Palmer College Foundation, d/b/a Palmer College of Chiropractic), West campus (Palmer College of Chiropractic West) and Florida campus (Palmer College Foundation, Inc., d/b/a Palmer College of Chiropractic Florida) and any other person(s), groups or organizations affiliated with any Palmer campus. DEFINITIONS For the purposes of this Policy, the following terms shall be defined as noted below: 1. The term “College” refers to Palmer College of Chiropractic, including operations on the Davenport campus, West campus and Florida campus. 2. The term “Cardholder data” refers to more than the last four digits of a customer’s 16- digit payment card number, cardholder name, expiration date, CVV2/CVV or PIN.
    [Show full text]
  • Unionpay: Visa and Mastercard's Tough Chinese Rival
    1.35% AXP American Express Co $66.0 USD 0.87 1.32% Market data is delayed at least 15 minutes. Company Lookup Ticker Symbol or Company Go Among the myriad designer brands at the Harrods flagship store in London, Chinese housewife Li Yafang spotted a corporate logo she knows from back home: the red, blue, and green of UnionPay cards. “It’s very convenient,” said Li, 39, as a salesperson rang up a £1,190 ($1,920) Prada Saffiano Lux handbag. With 2.9 billion cards in circulation—equal to 45 percent of the world’s total last year—UnionPay has grown into a payments processing colossus just 10 years after the company was founded. Now accepted in 135 countries, its share of global credit- and debit-card transaction volume for the first half of 2012 rose to 23.8 percent, propelling it to No. 2 behind Visa International (V), according to the Nilson Report, an industry newsletter. “UnionPay has absolute dominance in China, and it’s now expanding beyond that to become a top global player,” says James Friedman, an analyst at Susquehanna International Group. “Their numbers show they are already in the league of Visa and MasterCard (MA).” Yin Lian, UnionPay’s name in Mandarin, means “banks united,” which reflects its ownership structure. Its founding shareholders were 85 Chinese banks, led by the five biggest state-owned lenders. UnionPay’s top managers are former senior officials at the People’s Bank of China, the nation’s central bank. (The company would not make executives available for interviews.) At home, the Shanghai-based firm enjoys a big competitive edge: The government requires that all automated teller machines and Chinese merchants use UnionPay’s electronic payments network to process payments in the local currency.
    [Show full text]
  • Maintaining PCI Compliance Through Innovation
    February 2018 Maintaining PCI Compliance Through Innovation An article by Angela K. Hipsher-Williams, CISA, QSA, and Jonathan J. Sharpe, CISA, QSA Audit / Tax / Advisory / Risk / Performance Smart decisions. Lasting value.™ Maintaining PCI Compliance Through Innovation The ascendance of online retailers and mobile ordering has created a hypercompetitive environment for purveyors of consumer products and services. Customers today expect a frictionless, “endless aisle” ordering experience, where any item they can think of is instantly orderable, if not instantly accessible. Customers’ demand for instant gratification PCI Compliance is not limited to the online environment. Traditional retailers and restaurants are Stricter Than Ever thus being forced to innovate in a variety While new payment solutions offer flexibility of ways to try to replicate the online and convenience for patrons, these customer experience. Particularly ripe innovations have security and compliance for innovation is the process of ordering implications for merchants and customers and paying for goods and services, alike. Recent large-scale payment card but payment innovations come with breaches have laid bare some of the a number of pitfalls when it comes to risks, and in response, PCI compliance payment card industry (PCI) compliance. requirements have become stricter than ever. Organizations must fully evaluate the implications of implementing new payment technologies, weighing convenience against cybersecurity risk. Devoting adequate resources to data security and
    [Show full text]
  • Visa Inc. and the Global Payments Industry1
    W14186 VISA INC. AND THE GLOBAL PAYMENTS INDUSTRY1 Professors Neil Bendle and Dan Horne wrote this case solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. This publication may not be transmitted, photocopied, digitized or otherwise reproduced in any form or by any means without the permission of the copyright holder. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Ivey Business School, Western University, London, Ontario, Canada, N6G 0N1; (t) 519.661.3208; (e) [email protected]; www.iveycases.com. Copyright © 2014, Richard Ivey School of Business Foundation Version: 2014-05-29 Amy Wilkins2 was nervous. She was preparing for what was arguably the most important job interview of her career. She was fascinated by the global payments industry and working at Visa Inc. would be a dream come true. To prepare for her interview, Wilkins wanted to make sure she clarified her understanding of the payments industry and sat down to complete her analysis. She knew that a strong performance in the interview would give her an excellent chance to get her dream job. It was a risk, but she decided to be bold – she would come up with a recommendation for some action that Visa should take. VISA COMPANY HISTORY Bank of America launched the first successful credit card, the Bank Americard.
    [Show full text]
  • Mastercard Frequently Asked Questions Platinum Class Credit Cards
    Mastercard® Frequently Asked Questions Platinum Class Credit Cards How do I activate my Mastercard credit card? You can activate your card and select your Personal Identification Number (PIN) by calling 1-866-839-3492. For enhanced security, RBFCU credit cards are PIN-preferred and your PIN may be required to complete transactions at select merchants. After you activate your card, you can manage your account through your Online Banking account and/or the RBFCU Mobile app. You can: • View transactions • Enroll in paperless statements • Set up automatic payments • Request Balance Transfers and Cash Advances • Report a lost or stolen card • Dispute transactions Click here to learn more about managing your card online. How do I change my PIN? Over the phone by calling 1-866-297-3413. There may be situations when you are unable to set your PIN through the automated system. In this instance, please visit an RBFCU ATM to manually set your PIN. Can I use my card in my mobile wallet? Yes, our Mastercard credit cards are compatible with PayPal, Apple Pay®, Samsung Pay, FitbitPay™ and Garmin FitPay™. Click here for more information on mobile payments. You can also enroll in Mastercard Click to Pay which offers online, password-free checkout. You can learn more by clicking here. How do I add an authorized user? Please call our Member Service Center at 1-800-580-3300 to provide the necessary information in order to qualify an authorized user. All non-business Mastercard account authorized users must be members of the credit union. Click here to learn more about authorized users.
    [Show full text]
  • ULTIMATE RETAIL PAYMENTS FIELD GUIDE Everything Merchants Need to Know from Those in the Know YOUR ULTIMATE GUIDE
    ULTIMATE RETAIL PAYMENTS FIELD GUIDE Everything Merchants Need to Know from Those in the Know YOUR ULTIMATE GUIDE Today’s payments landscape is the stuff of dreams for merchants. New markets are in your grasp. New payment methods offer unlimited potential. And new customers knock at your doors. But those dreams can quickly become a nightmare without the right strategies and solutions to bring them all together. In this guide, you’ll get expert insights into the hottest issues in retail payments. We’ll explore new frontiers in payments, examine investment trends and even help prevent chargebacks. And that payments jargon? Consider it covered. TABLE OF CONTENTS 1 INVESTMENT TRENDS IN RETAIL ...................................................................................................................4 2 CROSS-BORDER eCOMMERCE EXPANSION: AN ACI FRAUD PERSPECTIVE ..............................5 3 FIVE SIMPLE STEPS TO PREVENTING MORE CHARGEBACKS ..........................................................8 4 NEW FRONTIERS IN MERCHANT PAYMENTS............................................................................................10 5 DECIPHERING PAYMENTS JARGON: EIGHT KEY TERMS DEFINED .................................................12 2 3 RETAILERS ARE BATTLING RISING COSTS THROUGH INVESTMENT INVESTMENTS IN INNOVATION 48% of retailers have suffered from a rise in payment operating costs TRENDS IN over the last three years. To combat this, retailers are investing in their 1 payment platforms. 48% expect to increase their investment in payments over the RETAIL next 18-24 months 36% are investing in payment acceptance capabilities to support growth In 2018, ACI® and Ovum 16% want to improve the integration between payments and partnered to produce the 2018 other systems to drive efficiencies Global Payments Insight Survey KEY TAKEAWAY for Merchants. In it, global Strategic investments in payments will deliver more integrated and merchants shared their opinions cost-effective platforms that can enable growth.
    [Show full text]
  • 2020 Annual Report Discover Card • $71 Billion in Loans a Leading • Leading Cash Rewards Program
    2020 Annual Report Discover Card • $71 billion in loans A Leading • Leading cash rewards program Student Loans Digital Bank • $10 billion in student loans and Payments • Offered at more than 2,400 colleges Personal Loans • $7 billion in loans • Debt consolidation and major purchases Partner Home Loans • $2 billion in mortgages Discover is one of the largest digital banks in the United • Cash-out refinance and home loans States, offering a broad array of products, including credit cards, personal loans, student loans, deposit products Deposit Products and home loans. • $63 billion in direct-to-consumer deposits • Money market accounts, certificates The Discover brand is known for rewards, service and of deposit, savings accounts and checking value. Across all digital banking products, Discover seeks accounts to help customers meet their financial needs and achieve brighter financial futures. Discover Network Discover Global Network, the global payments brand of • $181 billion volume Discover Financial Services, strives to be the most flexible • 20+ network alliances and innovative payments partner in the United States and around the world. Our Network Partners business provides payment transaction processing and settlement services PULSE Debit Network on the Discover Network. PULSE is one of the nation’s • $212 billion volume leading ATM/debit networks, and Diners Club International is a global payments network with acceptance around Diners Club International the world. • $24 billion volume To my fellow shareholders, A year has passed since our world changed virtually overnight as we faced the greatest public health crisis in a century and the resulting economic contraction. We remain grateful to those on the front lines of this battle, including healthcare and emergency workers, and everyone who has taken personal risk to make sure the essential services of our society keep running.
    [Show full text]
  • Demystifying Pci Dss Liability
    CLIENT ADVISORY DEMYSTIFYING PCI DSS LIABILITY YOU CAN OUTSOURCE CREDIT CARD PROCESSING BUT NOT LIABILITY! Many business owners have misconceptions about their obligations and legal exposures if they experience a breach of payment card data. Outsourcing your company’s payment card processing to a third-party does not mean you have also outsourced the risk you take on when you accept payments by credit card. Companies are still subject to the PCI DSS - Payment Card Industry Data Security Standards – and any failure to comply with PCI DSS will expose your company to a wide range of potentially significant liabilities in the event of a breach. WHAT IS PCI DSS? Created by the five payment brands (American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.), PCI DSS stands for the Payment Card Industry Data Security Standards. While not de facto law, the Security Standards are technical requirements that govern the appropriate security posture for any entity who stores, processes, and/or transmits cardholder information.1 MERCHANT SERVICE AGREEMENTS A Merchant Service Agreement is the contract between a company that wishes to accept credit cards as payment for services and an acquiring bank DON’T MAKE ASSUMPTIONS or other institution that sets forth the terms and conditions under which the WHEN IT COMES TO LIABILITY… company can accept and process payment card transactions. Using a Payment Check your contracts! Processing company may simplify the point of sale process, but it does not Check your policy! absolve a retail merchant of the responsibilities assigned to it by the terms and conditions of its agreement.
    [Show full text]
  • Rupay: the Emergence of an Indian Card Giant (A Marketing Perspective)
    International Journal of Scientific and Research Publications, Volume 9, Issue 2, February 2019 525 ISSN 2250-3153 RuPay: The Emergence of an Indian Card Giant (A Marketing Perspective) Siddharth, Vijayraj, Subham Dash, Varun Chadha, Varun D. Nankani Christ (Deemed to be University) - Bannerghatta Campus Bangalore, India 2019 DOI: 10.29322/IJSRP.9.02.2019.p8667 http://dx.doi.org/10.29322/IJSRP.9.02.2019.p8667 Abstract- There have been turbulent changes in the banking sector gain an international scheme. As of July 2018, these cards were of the world which lead to capitalisation of various untapped issued to savings and current bank account holders across 1100 opportunities. One such opportunity was interbank transfers using banks including cooperative banks and Regional Rural banks. It ATM cards. VISA and MasterCard were the ones that decided to has 65% of the Indian market share and is accepted at all the capitalise on this opportunity and became the biggest payment ATMs, e-commerce portals and Pos terminals. networks of the world. RuPay is India’s very own card scheme to promote debit and It has various advantages leading to its mass acceptability. credit card transactions, which was launched in 2012, by National • The occurrence and settlement of transactions happen Payment Corporation of India (NPCI). The cost of the transaction domestically, the cost is lower and thus is affordable. in India was high in spite of the fact that in India 90% of the credit • As it is domestic in nature, it is aiming at customized transactions and almost all debit transactions are domestic.
    [Show full text]